This is a place for me to ruminate about Privacy. Since I work as Google's Global Privacy Counsel, I need to point out that these ruminations are mine, not Google's. Please don't attribute them to Google.

Monday, August 27, 2007

Data Protection Officers according to German law

Some of you might be interested in German law on data protection officers. I’m going to give this to you in factual terms. [This isn’t legal advice, and it’s not commentary: so, I’m not commenting on how much or little sense I think this makes in practice.]

Since August 2006, according to the German Data Protection Act, the appointment of an Data Protection Officer (“DPO”) is compulsory for any company or organization employing more than nine employees in its automated personal data processing operations.

Anyone appointed as DPO must have the required technical and technical-legal knowledge and reliability (Fachkunde und Zuverlässigkeit). He or she need not be an employee, but can also be an outside expert (i.e., the work of the official can be outsourced). Either way, the official reports directly to the CEO (Leiter) of the company; must be allowed to carry out his or her function free of interference (weisungsfrei); may not be penalized for his or her actions; and can only be fired in exceptional circumstances, subject to special safeguards (but note that this includes being removed as DPO at the suggestion of the relevant DPA). The company is furthermore required by law to provide the official with adequate facilities in terms of office space, personnel, etc.

The main task of the DPO is to ensure compliance with the law and any other data protection-relevant legal provisions in all the personal data processing operations of his employer or principal. To this end, the company must provide the DPO with an overview of its processing operations that must include the information which (if it were not for the fact that the company has appointed a DPO) would have had to be notified to the authorities as well as a list of persons who are granted access to the various processing facilities. In practice, it is often the first task of the DPO to compile a register of this information, and suggest appropriate amendments (e.g., clearer definitions of the purpose(s) of specific operations, or stricter rules on who has access to which data). Once a DPO has been appointed, new planned automated processing operations must be reported to him or her before they are put into effect.

The DPO’s tasks also include verifying the computer programs used; and training the staff working with personal data. More generally, he has to advise the company on relevant operations, and to suggest changes where necessary. This is a delicate matter, especially if the legal requirements are open to different interpretations. The Act therefore adds that the official may, “in cases of doubt” contact the relevant DPA. However, except in the special context of a “prior check” issues, the Act does not make this obligatory.

It is important to note that the DPO in Germany is not just a cosmetic function, and it is important for the company and DPO to take his role seriously. Thus, the DPO must be given sufficient training and resources to do his job properly. Failure to take the DPO function seriously can have serious legal consequences, both for the company and the DPO.

When appointing a DPO, it is important to identify potential incompatibility and conflict of interests between this position and other positions of the person within the company. Non-compliance with the law is subject to an administrative offense which can be punished by a fine of up to € 25,000. Moreover, the DPA can order the dismissal of the DPO if he or she also holds a position which is incompatible with the role as DPO. Finally, non-compliance may give rise to liability under the Act.

Unfortunately, with regard to conflicts of interest there is no clear picture, and much depends on local requirements and views by local DPAs. In general, the following positions are considered to be incompatible with the position of a DPO:

CEO, Director, Corporate Administrators, or other managerial positions that are legally or statutory compulsoryHead of IT/ IT AdministratorHead of HRHead of MarketingHead of SalesHead of LegalExecutives of corporate units processing massive or sensitive personal data

Employees in the administrative department and employees in the legal department are more likely considered to have no conflicts of interest. Finally, views differ considerably with regard to the position of an internal auditor and the head of corporate security. An IT security manager can be appointed if he is independent in the organization of the department.

Finally, German law does not provide for having a “Group DPO” that oversees a group of companies or a holding (Konzerndatenschutzbeauftragter). Such a DPO needs to be appointed by every single entity and also has to implement local data protection coordinators.

2 comments:

We live in an information society. Freely available information has become a new factor in the economy, indeed it is now among the most important factors of economic life. Data protection actually means the right of the individual to have his personal data protected against unauthorised use. Data protection has developed in tandem with advances in electronic information technology since the early 1970s.

Modern technology has made it easier to handle information, with the result that the amount of information being processed has soared. It has become possible to collect, systematically access and pass on virtually unimaginable quantities of data at high speed. On the other hand, this ability can lead to problems as it is necessary to protect the privacy of the individual. In this sense, data protection is described as "one of the social limits that society has to impose on technological progress." The legal limits are provided by data protection law.

Data protection law was introduced in Germany about thirty years ago; it started in Hesse 1970. Since 1977 there has been a Federal Act. In 1983, Germany`s supreme court made a further milestone in the development. Since then the basic criterion for the handling of personal data by the public administration and by private data processors has been the right of the individual to determine the use of his own data. It is particularly important to guarantee the transparency of the movement of information. Therefore, key criteria for the handling of data are "necessity" and the "purpose limitation principle". Data protection led to a new constitutional right for the individual. The "right to be left alone", i.e. to pass on or withhold information, is a basic right which derives from the constitutional right to free development of the personality. Since the Federal Data Protection Act 1977 data processing is only permitted on the basis of statutory legislation with the agreement of the individual concerned. It has thus been made possible for the individual to keep track of his personal data.

The amended Data Protection Act of 1990 is also intended to protect the individual from having his personal rights infringed upon. The individual must consent to having his personal data collected or stored, or there must be a statutory arrangement. In general the state is not allowed to collect or store personal data without an individual consent; the main exemptions are in the fields of police investigations, intelligence services or defense. The data themselves are subject to data protection if they are not exclusively used in the private personal sphere.

Public-sector and private-sector agencies are required to inform the individual at his request about the data they hold on him.

The Federal Data Protection Act contains a number of security requirements restricting for example access to data processing facilities. Priorities lie increasingly on avoiding the storing of data and on promoting the use of it sparingly.

The Act has created the office of a Federal Data Protection Commissioner who is elected by the Bundestag. His main tasks are dealing with individual complaints and informing the plaintiff about the findings of his investigations, as well as giving recommendations to both parliament and the government.

The powers of the public data protection officials apparently (according to recent events) include obtaining data from private companies and individuals without a warrant and without court supervision; that is disturbing and the opposite of what data protection is supposed to accomplish. While the intent was laudable, in passing its data protection laws, Germany has done more harm than good.

Just as disturbing is the irrational and inconsistent application of these laws, since packet data is collected by German companies without anybody complaining about it, but the German government has a strong and vocal bias against American companies like Google.

We have a disturbing repeat of prior periods of German history, including the Third Reich and East Germany, where ill-conceived legal frameworks combine with anti-Americanism, anti-liberalism, and a totalitarian streak.